SPF Lookup Counter

Count a domain's SPF DNS lookups and flag the 10-lookup limit.

The SPF Lookup Counter fetches a domain's SPF record (v=spf1) and then recursively follows its include, redirect, a, mx, ptr and exists mechanisms, summing the DNS lookups they trigger. RFC 7208 limits a single mail evaluation to 10 DNS lookups; exceeding it causes receiving servers to return permerror, which can fail SPF authentication entirely.

If your mail keeps landing in spam or SPF won't pass, blowing past this 10-lookup limit is a common cause. Enter a domain and the tool expands the include chain to show exactly how many lookups you consume today and where the count grows. Once you see the breakdown, consider SPF flattening to cut it down. View the raw SPF record and its mechanisms in SPF Record Lookup, and your domain's overall authentication in Email Deliverability Check.

Domaine.g. example.com (domain only, no protocol or path)

The SPF 10-lookup limit

During SPF evaluation, the mechanisms that trigger DNS lookups are include, a, mx, ptr, exists and the redirect modifier. If their total exceeds 10, RFC 7208 mandates a permerror. By contrast, ip4, ip6, all and exp trigger no DNS lookups and do not count toward the limit.

include: pulls in another domain's SPF — 1 lookup itself, plus its nested lookups
a / mx: A/MX lookup for a host — 1 each (one per mechanism, even with multiple MX)
ptr: a discouraged mechanism — 1 lookup
exists: an A lookup after macro expansion — 1 lookup
redirect= delegates to another domain's SPF — 1 lookup

How to reduce it (SPF flattening)

The most common fix is SPF flattening: resolve the IP ranges that your include chain ultimately points to and replace them with direct ip4/ip6 terms, eliminating nested lookups. The trade-off is that you must re-update the record whenever a provider's IPs change, so use an auto-updating service or review it regularly. Drop includes for mail providers you no longer use, and if needed split SPF across subdomains by service.

Frequently asked questions

What happens if the count exceeds 10?

Receiving mail servers may treat SPF evaluation as a permerror, in which case SPF authentication fails and your mail is more likely to be rejected or marked as spam. Keep the total at 10 or below.

Do ip4/ip6 terms count toward the limit?

No. ip4, ip6, all and exp trigger no DNS lookups and don't count. Only include, a, mx, ptr, exists and redirect count toward the 10-lookup limit.

Does it count includes inside includes?

Yes. include and redirect re-fetch the target domain's SPF and recursively sum its inner mechanisms. To avoid loops, an already-visited domain is not counted again.

Where do queries go? Is my input stored?

We query only TXT records via a public DNS-over-HTTPS resolver. The input domain is held briefly for result caching (about two minutes) and is not otherwise transmitted or stored.

Related tools

Email →

Email Bounce Code Decoder

Explain 4xx/5xx SMTP bounce codes and how to fix them.

Email Header Analyzer

Analyze mail headers: hops, delays and SPF/DKIM/DMARC results.

DMARC Record Generator

Generate a DMARC TXT record from policy and report settings.

SPF Record Lookup

Look up a domain's SPF TXT record and check syntax.

DMARC Record Lookup

Look up the _dmarc TXT record and explain its policy and tags.

DKIM Record Lookup

Look up the selector._domainkey TXT record for a DKIM public key.